Operating System Security- 2017 GenCyber Camp

Bo LuoAssociate Professor

Director, Information Assurance Lab, ITTCThe University of Kansas, Lawrence, KS, USA

bluo@ku.edu; http://www.ittc.ku.edu/~bluo

First Principles of Cybersecurity

The first principles of security are the foundation

upon which security mechanisms are reliably built;

and security policies can be reliably implemented.

Study the principles

Use them to examine the design of real-world

security mechanisms

Operating System Security

Process Isolation

Resource Encapsulation

Least Privilege

Operating System Security

OS: still software

All software security vulnerabilities apply

OS must protect users from each other

memory protection

file protection

general control and access to objects

user authentication

4

Operating System Security

The fundamental tradeoff of OS security

operating systems tradeoff between:

Sharing

Protection

sharing is desirable

protection is difficult

5

Operating System Security

Early History

no OS

programs entered directly in binary through switches

user’s program only one on system

user responsible for:

loading dependent libraries, other tools

scheduling time to use computer

OS security?

6

Operating System Security

Later

machines very expensive

people less expensive

maximize use of machine

allow many users

7

Operating System Security

OS protection – separation.

Physical separation, e.g. 1 user/printer

Temporal separation

Logical separation: user thinks own machine

Cryptographic separation, expensive

Combinations of these

8

Operating System Security

Levels of Protection

no protection

isolation

share all or nothing

share via access limitation

share by capabilities

limit use of an object

9

Operating System Security

No protection

e.g. early versions of windows

some embedded environments

designed for one user

no need for isolation, access control, etc.

10

Operating System Security

Isolation

Processes unaware of other processes

Each process: own portion of memory (address space), files,

etc.

OS provides confinement

11

Operating System Security

Isolation

Processes unaware of other processes

Each process: own portion of memory (address space), files,

etc.

OS provides confinement

Example: a word processor, a database and a browser

running on a computer

All running in different address spaces, to ensure correct

operation, security and protection

The word processor cannot access the memory of the browser

or database.

If two processes are running and one of the processes has a

problem, that problem should be confined to the process with a

problem and not affect the other process.

12

Operating System Security

Isolation

Processes unaware of other processes

Each process: own portion of memory (address space), files,

etc.

OS provides confinement

What if the OS has a bug?

What if the OS is compromised or cannot be trusted?

13

Operating System Security

Isolation

Virtual machines and cloud computing

VMWare or Virtual Box

multiple operating systems to execute on the same computer

without interfering with other program

Cloud computing

Host OS vs. Guest OS

In this context, each OS is viewed as a process, to be kept

separate from the other processes (OSs).

Program running in each OS, should not be aware of programs

running on another OS, nor should they be aware of the

existence of another OS.

If a guest OS is compromised, it should not affect the host OS

or any other guest OS

14

Operating System Security

Some resources still need to be shared

Shared libraries

Files

Database

How should we manage the resources?

15

Resource Encapsulation

A computer has many resources.

Hardware based: memory, disk drives, or monitor

System objects: semaphores, a linked list, or shared

memory

Owned by the OS or users

Resources may be shared, but how?

High-level abstraction of resources

Resource Encapsulation

Encapsulation: object oriented concept

All data and functions required to use the resource are

packaged into a single self-contained component.

Only allow access or manipulation of the resource in the

way the designer intended.

Example: assume a flag pole is the object.

Fixed methods to used the flag pole

Put the flag on, take the flag off, raise or lower the flag.

Nothing else can be done to the flag pole.

In addition to controlling what operations can be performed

on the resource, the system can also control which users

can perform these operations on the resource.

Access Control

Some resources need to be shared

Which users can perform operations on the resource?

Access control!

Share all or nothing

owner of object declares it:

Public: available to all users

Private: not available

18

Access Control

Share via access limitation

Resource/files are shared

Who can access what?

Access control lists

Access Control Matrices

Capabilities

19

Access Control

Ensures that all direct accesses to object are

authorized

Protects against accidental and malicious threats by

regulating the read, write and execution of data and

programs

Requires:

Proper user identification

Information specifying the access rights is protected form

modification

Access Control

Access control components:

Access control policy

specifies the authorized accesses of a system

Access control mechanism

implements and enforces the policy

Access Control

How to describe the policies?

“Who can access what?”

Subject: active entity that requests access to an object

- e.g., user or program

Object: passive entity accessed by a subject

- e.g., hardware resource, file, data record

Access right (privileges): how a subject is allowed to access

an object

- e.g., subject s can read object o; subject s can execute

program p

Access Control

Access Control of General Objects

check every access

user permitted doesn’t mean always permitted

enforce least privilege

grant access to minimum set of objects required to complete a

task

verify acceptable usage

stack: push(), pop(), …

Shouldn’t be able to do anything else to stack

23

Access Control

Least Privilege

Allow the minimum number of privileges necessary to

accomplish the task.

Earlier versions of Windows: single user, highest privilege.

OS with access control

How do define privilege for each user?

Access Control

Least Privilege

Allow the minimum number of privileges necessary to

accomplish the task.

Earlier versions of Windows: single user, highest privilege.

OS with access control

New computer: user starts with an administrative account.

This account has privileges to install software, add users, add

hardware, and add and delete almost any program or file.

The account is all powerful and must be used wisely.

If a person uses a browser to access a website that contains

malware and they are running as administrator, it is more likely

that malware could be installed.

If the person was running as a regular user with minimal

privileges, the malware would not have been installed.

Discussion

In mobile OS (iOS, Android), how should we adopt

the concepts of process isolation, resource

encapsulation, and least privilege?